A storage system is a computer that provides storage service relating to the organization of information on writable persistent storage devices, such as memories, tapes, disks or solid state devices, e.g., flash memory, etc. The storage system is commonly deployed within a storage area network (SAN) or a network attached storage (NAS) environment. When used within a NAS environment, the storage system may be embodied as a file server including an operating system that implements a file system to logically organize the information as a hierarchical structure of data containers, such as files on, e.g., the disks. Each “on-disk” file may be implemented as a set of data structures, e.g., disk blocks, configured to store information, such as the actual data (i.e., file data) for the file.
A network environment may be provided wherein information (data) is stored in secure storage served by one or more storage systems coupled to one or more security appliances. Each security appliance is configured to transform unencrypted data (cleartext) generated by clients (or initiators) into encrypted data (ciphertext) destined for secure storage or “cryptainers” on the storage system (or target). As used herein, a cryptainer is a piece of storage on a storage device, such as a disk, in which the encrypted data is stored. In the context of a SAN environment, a cryptainer can be, e.g., a disk, a region on the disk or several regions on one or more disks that, in the context of a SAN protocol, is accessible as a logical unit (lun). In the context of a NAS environment, the cryptainer may be a collection of files on one or more disks. Specifically, in the context of the CIFS protocol, the cryptainer may be a share, while in the context of the NFS protocol, the cryptainer may be a mount point. In a tape environment, the cryptainer may be a tape containing a plurality of tape blocks.
Each cryptainer is associated with its own encryption key, e.g., a cryptainer key, which is used by the security appliance to encrypt and decrypt the data stored on the cryptainer. An encryption key is a code or number which, when taken together with an encryption algorithm, defines a unique transformation used to encrypt or decrypt data. Data remains encrypted while stored in a cryptainer until requested by an authorized client. At that time, the security appliance retrieves the encrypted data from the cryptainer, decrypts it and forwards the unencrypted data to the client.
One noted disadvantage that may arise during use of a security appliance is that certain operations may be long running and may generate a backlog within a processor of the security appliance. For example, execution of performing compression/decompression operations on, e.g., a tape data stream, by the processor may require significant amounts of time. Conversely, execution of single block encryption/decryption operations for data access requests directed to a disk drive may proceed rapidly. However, should a long-running tape compression/decompression operation be loaded onto an operations queue associated with the processor before a block-based encryption/decryption operation, execution of the encryption/decryption operation by the processor may have to wait until such time as the long-running operation completes. This may substantially lower overall throughput and reduce system performance.